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Abstract 

Quantum signature (QS) is used to authenticate the identity of the originator, ensure data integrity and 
provide non-repudiation service with unconditional security using quantum theories. It can be generally 
considered as arbitrated QS if a trusted third party named arbitrator is involved, and true QS if otherwise. 
In this paper, we shall analyze why arbitrated QS is possible to sign quantum messages by providing a basic 
framework, and settle the disagreements between the impossibility of true QS [Ij] and an existing true QS 
scheme for quantum messages [2|. 
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1. Introduction 

Digital signature, as an analogy to hand-written signature for authenticating the origin of a message and 
ensuring the message not being modified during transmission, is an essential cryptographic primitive. It has 
been being widely used in various fields, particularly in secure electronic commerce. As Rivest predicted, 
digital signature may become one of the most fundamental and useful inventions of modern cryptography 
0. However, all of the existing classical (digital) signature schemes whose security depends on the difficulty 
of solving some hard mathematical problems were threatened by last-increasing power of computers and 
innovative techniques such as quantum computation. For instance, once quantum computers would be 
successfully built, most of classical signature schemes would be cracked through Shor's algorithm Q. On 
the other hand, quantum physics has thrown light on the study of cryptography for obtaining unconditional 
security @, 0, S, @, [13 ■ Therefore, researchers turn to investigate quantum counterpart of classical 
signature with the hope that quantum signature (QS) can provide unconditional security which ensures that 
the attacker (or the malicious receiver) cannot forge the signature, and, in the same time, the signatory 
cannot deny the signature even though unlimited computing resources are available. 

QS is expected to sign both classical and quantum messages, and the form of each quantum message can 
be a known or an unknown quantum state. Since known quantum states can be characterized with classical 
information, the quantum messages being considered in this paper are in the form of unknown quantum 
states. Over the last decade, researchers have made some progress on QS. In 2001, Gottesman and Chuang 
proposed a QS scheme based on quantum one-way function, which is unconditionally secure even against 
quantum attacks [ll[. However, this scheme works only on classical messages, and seems not practicable as 
it would use up 0{m) qubits of the public key for signing an m-bit message. What is even worse happened 
in 2002, Barnum et al. showed that unconditionally secure QS for quantum messages is impossible [ij. 
This no-go theroem really disappointed many quantum cryptography researchers, but it did not abort the 
study of QS. In the same year, Zeng and Keitel presented a QS scheme which can sign both classical and 



* Corresponding author. 
Email address: liqinOxtu. edu. en (Qin Li) 



Preprint submitted to Elsevier 



February 20, 2013 



quantum messages by introducing a trust third party named arbitrator [12 [and the scheme was improved 
later Afterwards, Li et al. observed that the GHZ states used in 3] could be replaced with Bell 

states. They then put forward a more efficient scheme in [15]. Not long after that, Zou et al. showed both 
the two schemes proposed in Q and [31 are insecure since they could be repudiated by the receiver Bob, 
and further presented two arbitrated QS schemes to fix the problem [3l • Some other arbitrated QS schemes 

IiMlJii 



were also proposed since the study of arbitrated QS was initiated by Zeng and Keitel 
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However, most typical arbitrated QS schemes were cryptanalyzed recently 
researchers begin to doubt whether unconditionally secure arbitrated QS schemes for quantum messages 
are really possible to exist. In order to allay doubts in this regard, we shall give a detailed analysis in this 
paper for explaining the reasons why the existence of arbitrated QS does not contradict Barnum et aVs 
conclusion, although some of those reasons were preliminarily mentioned by Li et al. in [l5| . We will also 
show that unconditionally secure arbitrated QS for quantum messages is possible. In addition, Zeng et al. 
presented a true QS scheme in 2007 and claimed it can sign quantum messages with unconditional security 
3. This result excited the nerves of researchers in the field, and people asked: Is Barnum et aVs conclusion 
2 wrong or Zeng et aVs scheme Q insecure? We shall provide the answer by showing the insecurity of 
Zeng et aVs scheme. 

The rest of the paper is arranged as follows. Sec. [5]briefiy reviews Burnum et aVs no-go theorem for 
signing quantum messages. Then we show the arbitrated QS can be used to sign quantum messages in 
Sec. [21 and solve the disagreements between the impossibility of true QS and an existing true QS scheme 
for quantum messages in Sec. [4| The last section concludes the paper. 



2. Review of the no-go theorem for signing quantum messages 

This section briefiy reviews Barnum et aVs no-go theorem saying that signing quantum messages is 
impossible to realize. 

Barnum et al. gave a detailed proof of the theorem which they offered in T] that quantum authentication 
implies encryption. In other words, any scheme which wants to ensure the authenticity of quantum messages 
must also encrypt them almost perfectly. However, in a QS scheme, the receiver should learn something about 
the contents of the quantum message but is not allowed to changed it. It follows that the theorem results the 
impossibility of signing quantum messages since any non-trivial information gain from encrypted quantum 
messages is only possible at the cost of introducing disturbance to them which destroys the authenticity of 
quantum messages. 

To be more intuitive, one can assume the receiver is allowed to efficiently extract the original quantum 
message p, then it is easy to show the receiver can generate a valid signature of a new message p' favorable 
to him by the following steps. First suppose the receiver can extract the original message p via the transfor- 
mation U and leave the auxiliary state as ip which may not be hold entirely by the receiver. Since p should 
have been entangled with a reference system, ip must be independent of p. Then the receiver implements 
the transformation U\ which is the inverse process of U, on p' and his part of cp to get a valid signature. 
Obviously, this contradicts the security of the QS scheme and thus signing quantum messages is impossible. 



3. Possibility of arbitrated QS for quantum messages 

In this section, we analyze why using arbitrated QS to sign quantum messages does not disagree with 
Barnum et a/.'s conclusion [l[, and explain why it is possible to provide unconditional security by giving a 
basic framework of such a scheme. 

Although almost all existing arbitrated QS schemes were cracked recently 22, 2^ 2^ 25, 2^, it does not 



mean that arbitrated QS cannot provide unconditional security. The failures of the previous schemes are 
mainly due to imperfections of their design. For example, all those schemes just employed quantum one-time 
pad to encrypt, but ignored, to authenticate the transmitted quantum messages. Quantum encryption does 
not imply authentication, even though the converse is true [l|. Thus, the malicious receiver can change 
the signed quantum message and the corresponding signature without being detected by implementing 
appropriate unitary operations. 
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According to Barnum et al.^s no-go theorem, signing quantum messages is impossible because any pro- 
tocol which allows one receiver to read a quantum message also allows the receiver to modify the message 
without the risk of being detected, and therefore all potential receivers of an authenticated message must 
be trustworthy. In any arbitrated QS scheme, the arbitrator is always supposed to be trusted by both 
signatory and receiver; we can assume that the real recipient of the authenticated message is the arbitrator 
who is in charge of the verification of the signature. After verifying the signature, the arbitrator can send a 
parameter to indicate whether the signature is valid. The receiver would obtain the indication parameter, 
and only need to check whether the parameter and other information come from the real arbitrator. Based 
on this idea, we can give a basic framework of an unconditionally secure arbitrated QS scheme for quantum 
messages. 

For better understanding, we introduce two denotations before presenting the scheme. AutK{-) denotes 
that unconditionally secure authentication with the key K is used such as the quantum authentication scheme 
given in [l[ for quantum information, and Wegman-Carter authentication scheme for classical information 
in (27I I. SigK{-) is an abstract secret transformation in terms of the key K. In an arbitrated QS scheme, 
there are generally three phases: the initial phase, the signing phase, and the verification phase as shown 
below: 

(1) At first, the signatory Alice shares a key Kau with the arbitrator and the receiver Bob also has a key 
KBa shared with the arbitrator. This step constitutes the initial phase. 

(2) Alice generates the signature SigsKA{P) of the message P and computes a — AutKASSigsKA{P)i P) 
for authentication. Note that being the signing key of Alice, SKa is always private. Alice then sends 
the authenticated signature state cr to Bob. This is the signing phase. 

(3) In the beginning of the verification phase, Bob produces Y = AutKBai^) ^'^'^ transmits it to the 
arbitrator. 

(4) The arbitrator checks the authenticity of a with the key Ksa- If there is anything wrong, the arbitrator 
would abort the protocol immediately; otherwise, the arbitrator would examine whether SigsKA {P) 
and P are tamped or not. If not, the arbitrator would verify whether SigsKAiP) is a valid signature 
by employing some secret information such as that related to Alice's signing key and public infor- 
mation PKa which is known to the arbitrator or receivers. If the verification process is passed, the 
arbitrator sets the verification parameter, r = 1; or else, r — Q. Finally, the arbitrator computes 
T — AutKg^iP, SigsKA{P)j ^) and sends it to Bob. 

(5) Bob authenticates what he have received. If the authentication test is passed and r = 1, he would 
accept SigsKA (P) ^s the signature of P. This finishes the whole verification process. 

Although the above arbitrated QS scheme is trivial, it obviously can avoid the attacks proposed recently 
in [23,[2l,[2J)[H,[2^ due to the use of authentication. In addition, under our assumption that the arbitrator is 
trustworthy and is the only person who can verify SigsKA (P) with all the information he holds, the proposed 
scheme is not only unconditionally secure, but also adaptive to Barnum et al.'s conclusion. Actually, even 
if Bob can directly verify SigsxAiP) only with PKa and produce the signature SigsKA{P') of another 
message P' favorable to him using the method given by Barnum et ai, he is still not able to generate 
a' — AutKAa{^i9SKA{P')^ P') without knowing the key Kau- Hence he would not be able to convince other 
receivers that (P' , SigsKAiP')) is a valid message-signature pair. This tells that the verification made by 
the arbitrator is indispensable to an arbitrated QS scheme. 

4. Settlement of Conflicts 

We begin with reviewing Zeng et aVs true QS scheme which was claimed to be able to sign quantum mes- 
sages with unconditional security \^ . Then we show the insecurity of the scheme by attacking it successfully 
using similar method presented by Barnum et al. in 
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4-1. Review of the existing true QS scheme 

Zeng et al. proposed a true QS scheme for the purpose of signing quantum messages based on a suitable 
one-way function recently f3| and claimed that the scheme is unconditionally secure. We briefly describe the 
three phases (initial, signing and verification) of their scheme in the following. More details can be found in 

H- 

• In the initial phase, the main goal is to generate the signature key Kg and the verification key by 
constructing a one-way transformation G : {L,X,Tij} — ^ {U, ||r||^/^}, where L is a linear transforma- 
tion mapping x = {xo,xi, ...,Xk-i) e K'' to y{X) = yo{x) = [xo,yi{x), ...,y2k-iix)]'^ € M^'' and mak- 
ing any fc-element subset of {xQ,yi, ...,y2k-i} linearly independent, T satisfies T[yr-^^,yr2, ■■■,yrkV — 

T[X0,yr,+ ,,---,yr2k-iV: and U makes U\yr,)ri\yr2)r2---\yrjr, = \xo)ri\yr,+ ,)T2---\yr2,-i)r,- IS CX- 

pressed as = {L,X} and is set as Ky = {U, \\T\\^^^}. 

• In the signing phase, according to Kg, the signatory Alice prepares 2fc — 1 ancilla states \u!{X)) = 
|?;i(X))i...|?;2/c-i(-'^))2fe-i and encodes the message state P with a wave function {xq\P) as |^) = 
J\P)\uj)dX. Then Alice prepares a two-particle entangled state — J^\yk+i)r2\yk+i)r^+idx in 
terms of Kg and generates a signature state \S) — jS") (g) |f2). Finally \S) and \P) arc sent to the 
receiver Bob. 

• Bob implements the verification process by the following four steps: (1) Bob checks whether the state 
\S) is a 2A:-particle QECC by performing a syndrome measurement on it. (2) In terms of Ky, Bob 
decodes 15) as 

Ky\S) U\S) (1) 

= J\\T\\'/' J{\P)rAyr.^^)r2\yr,^.U+.- 

(^\yr2k-l)rAyr2k-^)r2k-^\}dX 
= J\\T\\ ^ \P)ri\^)r2,rk + i\^)r3.rk+2---\^)rk,r2k-l-: 

where J is the Jacobian for the transformation from X to y{X), and |ri)ij = Jj^\yi)i\yi)jdx{i ~ 
f2, ■■■fk, j,l — ?'fc+i, '"2fe-i), which is an entanglement state of particles i and j. (3) Bob verifies 
the entanglement properties of A: — 1 states \^)r2,rk+ij l^)i-3,rfc+2 1 I^)rfc,r2fc-i > respectively. (4) Bob 
checks whether the decoded message state is the same as the received message state, and tests the 
equality of the decoded two-particle entangled state |^^}r2, 1-^+1 and the received two-particle entangled 
state If there is a failure in any step. Bob will reject \S) and stop the protocol. 

4-2. Insecurity of the existing true QS scheme 

The above scheme used for signing quantum messages does not involve a trustable arbitrator to help 
the receiver verify the signature. Any receiver who is not always trustworthy can verify the validity of the 
signature directly. This scheme obviously violates Barnum et aVs conclusion [Jj which stated that signing 
quantum messages is impossible since any scheme which allows one receiver to read a quantum message also 
allows the receiver to modify the message without the risk of being detected, and therefore all potential 
receivers of an authenticated message must be trustworthy. Therefore, if Barnum et aVs conclusion is right, 
Zeng et aVs scheme cannot be secure; or the other way round. In the following, we show that Barnum et 
aVs conclusion also adapts to Zeng et aVs scheme and the scheme is insecure. 

Firstly, we assume the receiver Bob gets the message P and the corresponding valid signature IS*) — 
\S) \n) using Zeng et aVs scheme. We then show Bob can forge a valid signature of another message 
P' beneficial to him using the following steps: 1) After decoding the state \S) using the way expressed in Eq. 
(HJ, Bob replaces the decoded message state \P) with a new message state \P'), and the state of the whole 
system is changed to 1$) = J||T||^/^|P').rJf2)r2,rfc+i |i^)r3,rfc+2---l^)i-fc,i-2fc-i ■ 2) Bob applies which is the 
inverse transformation of [/ on 1$) to get \S') = U^^). 3) Bob generates the signature state |S") = |5')(X)|r2) 
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of \P') by combing \S') and The new message-signature pair (P', |S"}) is valid since it can be shown to 
pass the four steps of the verification phase: since 15} which Bob holds is a valid signature, the entanglement 
properties of \^)r2,rk+ii \^)r3,ru+2-i I^)i-fc.r2fc-i are kept and the decoded state \^)r2,rk+i '^iU be the same 
as hence Step (3) and Step (4) can be passed. Moreover, due to U\S') = UU^\^) = |$), Step (2) should 
also be passed. Finally, suppose |S"') = \S") ® is the correct signature of \S") must be a 2fc-particle 
QECC. As U\S") = 1$) = U\S'), \S') is identical to |^") and also is a 2fc-particle QECC which implies that 
Step (1) will be passed. 

5. Conclusion 

In this paper, we have shown arbitrated QS does not disobey Barnum et aVs conclusion about the 
impossibility of QS for quantum messages [H, and have proven that it is possible to sign quantum messages 
with unconditional security by given a basic framework of such a scheme. In addition, we have also explained 
that the existing true QS scheme presented by Zeng et al. 0] cannot get rid of the restriction of Barnum et 
aVs no-go theorem because the scheme is insecure. But still, Barnum et a/.'s conclusion does not preclude 
the possibility of QS for classical messages. So, how to construct efficient QS schemes to sign classical 
messages will be the direction of our work in the near future. 

Acknowledgement 

This work is partially supported by Natural Science Foundation of China (Grant Nos. 61202398, 
61272295, and 61070232), Scientific Research Fund of Hunan Provincial Education Department (Grant 
No. 12C0400), Internal Research Grant of The Hong Kong Institute of Education (Grant No. RG 66/11- 
12), and the Foundation for Distinguished Young Talents in Higher Education of Guangdong (Grant No. 
LYM11093). 

References 

[1] H. Barnum, C. Crepeau, D. Gottesman, A. Smith, A. Tapp, Authentication of quantum messages, in: Proceedings of the 

43th Annual IEEE Symposium on Foundations of Computer Science, 2002, pp. 449-458. 
[2] G. H. Zeng, M. Lee, Y. Guo, G. Q. He, Continuous variable quantum signature algorithm. International Journal of 

Quantum Information 5 (2007) 553-573. 
[3] R. Rivest, Cryptography, Vol. 1, Elsevier, 1990, Ch. 13, pp. 715-755, handbook of Theoretical Computer Science. 
[4] P. W. Shor, Algorithms for quantum computation: Discrete logarithms and factoring, in: Proceedings of the 35th Annual 

IEEE Symposium on Foundations of Computer Science, 1994, pp. 124—134. 
[5] C. H. Bennett, G. Brassard, Quantum cryptography: Public key distribution and coin tossing, in: Proceedings of the 

IEEE International Conference on Computers, Systems and Signal Processing, 1984, pp. 175-179. 
[6] A. K. Ekert, Quantum cryptography based on bell's theorem. Physical Review Letters 67 (1991) 661—663. 
[7] G. Brassard, The dawn of a new era for quantum cryptography: The experimental prototype is working!, Sigact News 20 

(1989) 78-82. 

[8] H.-K. Lo, H. F. Chau, Unconditional security of quantum key distribution over arbitrarily long distances. Science 283 
(1999) 2050-2057. 

[9] C. H. Bennett, D. P. Divincenzo, Quantum information and computation. Nature 404 (2000) 247—255. 
[10] D. Mayers, Unconditional security in quantum cryptography. Journal of the ACM 48 (2001) 351-406. 
[11] D. Gottesman, I. L. Chuang, Quantum digital signatures, arXiv:quant-ph/0105032 (2001). 

[12] G. H. Zeng, C. H. Keitel, Arbitrated quantum-signature scheme. Physical Review A 65 (2002) article no. 042312. 
[13] M. Curty, N. Liitkenhaus, Comment on "arbitrated quantum-signature scheme". Physical Review A 77 (2008) article no. 
046301. 

[14] G. H. Zeng, Reply to "comment on 'arbitrated quantum-signature scheme'". Physical Review A 78 (2008) article no. 
016301. 

[15] Q. Li, W. H. Chan, D. Y. Long, Arbitrated quantum signature scheme using bell states. Physical Review A 79 (2009) 
article no. 054307. 

[16] X. F. Zou, D. W. Qiu, Security analysis and improvements of arbitrated quantum signature schemes. Physical Review A 
82 (2010) article no. 042325. 

[17] H. Lee, C. Hong, H. Kim, J. Lim, H. J. Yang, Arbitrated quantum signature scheme with message recovery. Physics 
Letters A 321 (2004) 295-300. 



5 



[18] X. Lii, D. G. Feng, An arbitrated quantum message signature scheme, in: Proceedings of the 1st International Symposium 

on Computational and Information Science, 2004, pp. 1054-1060. 
[19] X. Lii, D. G. Feng, Quantum digital signature based on quantum one-way functions, in: Proceedings of the 7th International 

Conference on Advanced Communication Technology, 2005, pp. 514-517. 
[20] J. Wang, Q. Zhang, C. J. Tang, Quantum signature scheme with message recovery, in: Proceedings of the 8th International 

Conference on Advanced Communication Technology, 2006, pp. 1375-1378. 
[21] J. Wang, Q. Zhang, C. J. Tang, Efficient quantum signature protocol of classical messages. Journal on Communications 

28 (2007) 64-68, in Chinese. 

[22] F. Gao, S. J. Qin, F. Z. Guo, Q. Y. Wen, Cryptanalysis of the arbitrated quantum signature protocols. Physical Review 
A 84 (2011) article no. 022344. 

[23] J. W. Choi, K. Y. Chang, D. Hong, Security problem on arbitrated quantum signature schemes, Physical Review A 84 
(2011) article no. 062330. 

[24] Z. W. Sun, R. G. Du, B. H. Wang, D. Y. Long, Improving the security of arbitrated quantum signature protocols, available 

at arXiv;quant-ph/1107.2459 (2011). 
[25] S.-K. Chong, Y.-P. Luo, T. Hwang, On the "security analysis and improvements of arbitrated quantum signature schemes", 

available at arXiv;quant-ph/1105.1232 (2011). 
[26] T. Hwang, Y.-P. Luo, S.-K. Chong, Comment on "security analysis and improvents of arbitrated quantum signature", 

available at arXiv:quant-ph/1109.1744 (2011). 
[27] M. N. Wegman, L. Carter, New hash functions and their use in authentication and set equality. Journal of Computer and 

System Sciences 22 (1981) 265-279. 



6 



